diff --git a/.gitignore b/.gitignore index b5debb571..2e50cf307 100644 --- a/.gitignore +++ b/.gitignore @@ -31,3 +31,4 @@ results.* coverage.xml venv +report.html diff --git a/nettacker/modules/vuln/gitlab_cve_2021_39935.yaml b/nettacker/modules/vuln/gitlab_cve_2021_39935.yaml new file mode 100644 index 000000000..17180ce96 --- /dev/null +++ b/nettacker/modules/vuln/gitlab_cve_2021_39935.yaml @@ -0,0 +1,96 @@ +info: + name: gitlab_cve_2021_39935_vuln + author: OWASP Nettacker Team + severity: 8 + description: Detects GitLab instances vulnerable to CVE-2021-39935, + an unauthenticated Server-Side Request Forgery vulnerability in the + CI Lint API endpoint. Affects GitLab CE and EE versions 10.5 through + 14.5.1. Detection first confirms the instance is running a vulnerable + version via the public version API, then verifies the CI Lint endpoint + is accessible without authentication. Added to CISA KEV catalog with + federal patch deadline of February 24 2026. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2021-39935 + - https://gitlab.com/gitlab-org/gitlab/-/issues/346569 + - https://www.cisa.gov/known-exploited-vulnerabilities-catalog + - https://about.gitlab.com/releases/2021/02/11/security-release-gitlab-13-8-4-released/ + profiles: + - vuln + - http + - high_severity + - cve2021 + - cve + - gitlab + - ssrf + +payloads: + - library: http + steps: + - method: get + timeout: 3 + headers: + User-Agent: "{user_agent}" + allow_redirects: false + ssl: false + url: + nettacker_fuzzer: + input_format: "{{schema}}://{target}:{{ports}}/api/v4/version" + prefix: "" + suffix: "" + interceptors: + data: + schema: + - "http" + - "https" + ports: + - 80 + - 443 + - 8080 + - 8443 + response: + save_to_temp_events_only: gitlab_version_check + condition_type: and + conditions: + status_code: + regex: "200" + reverse: false + content: + regex: "\"version\":\"10\\.[5-9]\\.|\"version\":\"10\\.\\d{2,}\\.|\"version\":\"1[1-3]\\.|\"version\":\"14\\.[0-4]\\.|\"version\":\"14\\.5\\.0|\"version\":\"14\\.5\\.1" + reverse: false + + - method: post + timeout: 3 + headers: + User-Agent: "{user_agent}" + Content-Type: "application/json" + allow_redirects: false + ssl: false + url: + nettacker_fuzzer: + input_format: "{{schema}}://{target}:{{ports}}/api/v4/ci/lint" + prefix: "" + suffix: "" + interceptors: + data: + schema: + - "http" + - "https" + ports: + - 80 + - 443 + - 8080 + - 8443 + json: + content: "stages: [test]" + dry_run: true + ref: "main" + response: + dependent_on_temp_event: gitlab_version_check + condition_type: and + conditions: + status_code: + regex: "200" + reverse: false + content: + regex: '"status"\s*:\s*"(valid|invalid)"|"errors"\s*:\s*\[' + reverse: false diff --git a/nettacker/modules/vuln/graphql.yaml b/nettacker/modules/vuln/graphql.yaml index 2ddfddab1..2e9f7038b 100644 --- a/nettacker/modules/vuln/graphql.yaml +++ b/nettacker/modules/vuln/graphql.yaml @@ -2,8 +2,12 @@ info: name: graphql_vuln author: OWASP Nettacker Team severity: 3 - description: + description: Detects exposed GraphQL introspection endpoints which can + reveal the full API schema structure to unauthenticated attackers, + potentially exposing sensitive types, queries, and mutations. reference: + - https://graphql.org/learn/introspection/ + - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL profiles: - vuln - http @@ -33,17 +37,12 @@ payloads: - 80 - 443 endpoint: - - 1239b01720/graphql + - graphql + - api/graphql + - v1/graphql + - query json: - query: " - {{ - __schema {{ - types {{ - name - }} - }} - }} - " + query: "{__schema{types{name}}}" variables: "{{}}" response: condition_type: and @@ -52,5 +51,5 @@ payloads: regex: "200" reverse: false content: - regex: data|errors + regex: "(?s)__schema|types.*name" reverse: false diff --git a/nettacker/modules/vuln/ivanti_epm_cve_2026_1603.yaml b/nettacker/modules/vuln/ivanti_epm_cve_2026_1603.yaml new file mode 100644 index 000000000..a085b7b1b --- /dev/null +++ b/nettacker/modules/vuln/ivanti_epm_cve_2026_1603.yaml @@ -0,0 +1,63 @@ +info: + name: ivanti_epm_cve_2026_1603 + author: OWASP Nettacker Team + severity: 8 + description: Detects Ivanti Endpoint Manager instances vulnerable to + CVE-2026-1603, an authentication bypass via alternate path (CWE-288) + affecting all EPM versions prior to 2024 SU5. A remote unauthenticated + attacker sends a crafted HTTP request containing the magic number 64 + to bypass authentication controls and leak stored credential data + including Domain Administrator password hashes and service account + credentials from the EPM Credential Vault. Added to CISA KEV catalog + with federal patch deadline of March 23 2026. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2026-1603 + - https://hub.ivanti.com/s/article/Security-Advisory-EPM-February-2026-for-EPM-2024 + - https://www.cisa.gov/known-exploited-vulnerabilities-catalog + - https://www.zerodayinitiative.com/advisories/ZDI-26-1603/ + profiles: + - vuln + - http + - high_severity + - cve2026 + - cve + - ivanti + - auth_bypass + +payloads: + - library: http + steps: + - method: get + timeout: 3 + headers: + User-Agent: "{user_agent}" + X-Ivanti-Magic: "64" + allow_redirects: false + ssl: false + url: + nettacker_fuzzer: + input_format: "{{schema}}://{target}:{{ports}}/{{endpoint}}" + prefix: "" + suffix: "" + interceptors: + data: + schema: + - "http" + - "https" + ports: + - 80 + - 443 + - 8443 + endpoint: + - dms/portal + - dms/services/AuthenticationService + - dms/authenticate + response: + condition_type: and + conditions: + status_code: + regex: "200" + reverse: false + content: + regex: "Ivanti|EPM|LanDesk|credential|Endpoint\\.Manager" + reverse: false